input {
  syslog {
    type => syslog
    port => 5544
  }
  file {
    type => "syslog"
    path => "/var/log/messages"
    start_position => "beginning"
  }
#  lumberjack {
#    # The port to listen on
#    port => 12345
#
#    # The paths to your ssl cert and key
#    ssl_certificate => "/etc/logstash/logstash-forwarder.crt"
#    ssl_key => "/etc/logstash/logstash-forwarder.key"
#
#    # Set this to whatever you want.
#    type => "logs"
#  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname}  (%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}|%{GREEDYDATA:syslog_message})" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{@source_host}" ]
    }

    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "@source_host", "%{syslog_hostname}" ]
        replace => [ "@message", "%{syslog_message}" ]
      }
    }
    mutate {
      remove_field => [ "syslog_hostname", "syslog_message" ]
    }
    date {
      match => [ "syslog_timestamp","MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
    }
    syslog_pri { }
  }
}

output {
  elasticsearch {
    host => "localhost"
  }
}
